Abstract
White-box cryptography concerns the design and analysis of implementations of cryptographic algorithms engineered to execute on untrusted platforms. Such implementations are said to operate in a white-box attack context. This is an attack model where all details of the implementation are completely visible to an attacker: not only do they see input and output, they see every intermediate computation that happens along the way. The goal of a white-box attacker when targeting an implementation of a cipher is typically to extract the cryptographic key; thus, white-box implementations have been designed to thwart this goal (i.e., to make key extraction difficult/infeasible). The academic study of white-box cryptography was initiated in 2002 in the seminal work of Chow et al. (White-box cryptography and an AES implementation. In: Selected areas in cryptography: 9th annual international workshop, SAC 2002. Lecture notes in computer science, vol 2595, pp 250–270, 2003). Here, we review the first white-box AES implementation proposed by Chow et al. and give detailed information on how to construct it. We provide a number of diagrams that summarize the flow of data through the various look-up tables in the implementation, which helps clarify the overall design. We then briefly review the impressive 2004 cryptanalysis by Billet et al. (Cryptanalysis of a white box AES implementation. In: Selected areas in cryptography: 11th international workshop, SAC 2004. Lecture notes in computer science, vol 3357, pp 227–240, 2005). The BGE attack can used to extract an AES key from Chow et al.’s original white-box AES implementation with a work factor of about 230, and this fact has motivated subsequent work on improved AES implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More generally, the results are also cited incorrectly in anti-DRM commentaries. Barak has published a non-technical summary of their results in an attempt to dispel some of the confusion (see http://www.cs.princeton.edu/~boaz/Papers/obf_informal.html).
- 2.
The state variable is usually described as a two-dimensional array of bytes (i.e., a 4 ×4 array). However, the four columns can be concatenated end-to-end to form a one-dimensional array. Using a one-dimensional array simplifies some of our notation and diagrams.
- 3.
The attacker can also compute the key byte directly: \(a = {S}^{-1} \circ { Ty}_{0}^{-1} \circ ({Ty}_{0} \circ {T}_{0}^{1})(0)\).
References
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (Im)possibility of Obfuscating Programs (Extended Abstract). In “Advances in Cryptology – CRYPTO 2001: 21st Annual International Cryptology Conference”, Lecture Notes in Computer Science 2139 (2001), 1–18. Full version available from http://eccc.hpi-web.de/report/2001/057/.
O. Billet, H. Gilbert, and C. Ech-Chatbi. Cryptanalysis of a White Box AES Implementation. In “Selected Areas in Cryptography: 11th International Workshop, SAC 2004”, Lecture Notes in Computer Science 3357 (2005), 227–240.
D. Boneh, R. DeMillo, and R. Lipton. On the importance of checking cryptographic protocols for faults. Journal of Cryptology 14 (2001), 101–119.
S. Chow, P. Eisen, H. Johnson, and P.C. van Oorschot. White-Box Cryptography and an AES Implementation. In “Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002”, Lecture Notes in Computer Science 2595 (2003), 250–270.
S. Chow, P. Eisen, H. Johnson, and P.C. van Oorschot. A White-box DES Implementation for DRM Applications. In “Digital Rights Management: ACM CCS-9 Workshop, DRM 2002”, Lecture Notes in Computer Science 2696 (2003), 1–15.
J. Daemen and V. Rijmen. AES submission document on Rijndael, Version 2, September 1999. Available from http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
FIPS 197. Advanced Encryption Standard. Federal Information Processing Standards Publication 197, U.S. Department Of Commerce / National Institute of Standards and Technology, 2001. Available from http://www.csrc.nist.gov/publications/fips/
L. Goubin, J.-M. Masereel, and M. Quisquater. Cryptanalysis of White-Box DES Implementations. In “Selected Areas in Cryptography: 14th International Workshop, SAC 2007”, Lecture Notes in Computer Science 4876 (2007), 278–295.
S. Hohenberger, G. Rothblum, A. Shelat, and V. Vaikuntanathan. Securely Obfuscating Re-Encryption. In “Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007”, Lecture Notes in Computer Science 4392 (2007), 233–252.
M. Karroumi. Protecting White-Box AES with Dual Ciphers. In “Information Security and Cryptology – ICISC 2010”, Lecture Notes in Computer Science 6829 (2010), 278–291.
P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In “Advances in Cryptology – CRYPTO ’96”, Lecture Notes in Computer Science 1109 (1996), 104–113.
P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In “Advances in Cryptology – CRYPTO ’99”, Lecture Notes in Computer Science 1666 (1999), 388–397.
W. Michiels and P. Gorissen. “Cryptographic Method for a White-Box Implementation”. U.S. Patent Application 2010/0080395 A1, filed November 9, 2007.
W. Michiels and P. Gorissen. “Cryptographic System”. U.S. Patent Application 2011/0116625 A1, filed March 2, 2009.
C. E. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal 28 (1949), 656–715.
B. Wyseur. “White-Box Cryptography”, PhD thesis, Katholieke Universiteit Leuven, 2009.
B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel. Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings. In “Selected Areas in Cryptography: 14th International Workshop, SAC 2007”, Lecture Notes in Computer Science 4876 (2007), 264–277.
Y. Xiao and X. Lai. A Secure Implementation of White-Box AES. In “2009 2nd International Conference on Computer Science and its Applications: CSA 2009”, IEEE (2009), 6 pages.
Acknowledgements
The author thanks Phil Eisen who, over a number of conversations and presentations at Irdeto, motivated the style of exposition on AES in Sect. 9.3. Thanks are also extended to Michael Wiener who provided valuable comments on a preliminary draft of this work (especially with regards to the local security of the composed T-box/Ty i tables). Also, conversations on white-box cryptography with Jeremy Clark, Alfred Menezes and Anil Somayaji were helpful in directing some of our commentary. Thanks also go to Elif Bilge Kavun who pointed out a notational error in a previous version of Sect. 9.4.2.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Muir, J.A. (2012). A Tutorial on White-Box AES. In: Kranakis, E. (eds) Advances in Network Analysis and its Applications. Mathematics in Industry, vol 18. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30904-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-30904-5_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30903-8
Online ISBN: 978-3-642-30904-5
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)